NRL IPv6+IPsec Software Distribution

Introduction

The NRL IPv6+IPsec Software Distribution is a reference implementation of
IPv6 and IP Security (IPsec). It is freely distributable (within the bounds of
appropriate laws and regulations) and usable for commercial and non-commercial
purposes as long as the license terms are adhered to.

This version of the software has been tested on x86 systems running BSD/OS
4.0, FreeBSD 3.0, NetBSD 1.3.[23], and OpenBSD 2.[34]. It has also been tested
on SPARC systems running OpenBSD 2.3. Parts of this software have been tested
on x86 systems running Linux 2.1. We believe that our code should be easily
portable to reasonable 4.4BSD-Lite2 derived systems. We believe that it would
be difficult, though not impossible, to port our code to other systems.

This implementation includes kernel networking software and system
configuration applications (e.g. ifconfig, netstat, and route) modified to
support IPv6/IPsec. This implementation also includes the NRL Key Engine
(aka PF_KEY) and an application to interface with it. There are manual pages
for the modified and new software, but they might not yet be as detailed as
one might like.

This IPv6/IPSec software is intended to be used by kernel hackers and
implementers who want to get early access and experience with IPv6 and IPsec.
Use at your own risk. It is complete enough to use for experimenting but it is
not entirely complete. In some areas this is because the specifications are not
yet stable.

What's New

Alpha 7.1 (December 1998)

This is a minor update to Alpha 7. If you are not using OpenBSD or NetBSD,
there is no need for you to update from Alpha 7.

Minor fixes.

Updated OpenBSD port to 2.4 and NetBSD port to 1.3.3. Note that we have
not extensively tested the updated ports, so we also include the ports
to OpenBSD 2.3 and NetBSD 1.3.2.

Alpha 7 (November 1998)

Bug fixes.

A major re-organization of the distribution. The layout of the
distribution has changed in dramatic ways to support five divergent
systems.

Some updates to sync with specs. In particular, the ESP and AH code was
rewritten because spec changes obsoleted existing implementations.

An incomplete but useable implementation of our new network processing API.
In particular, non-security options are currently not supported, and most
of the optional security parameters don't actually do anything. Our old
network security APIs are no longer supported.

Removed contributed software; it had fallen out of date. It probably will
return.

A port to BSD/OS 4.0. This system now ships with an older version of
our code merged in; this port drops over the shipped source tree and
updates it to our latest release. Because BSD/OS has our changes merged
into the OS source, this port is a more proper integration and does not
remove BSDI's changes to 4.4BSD-Lite2 (e.g., in netinet).

Ports to OpenBSD 1.3.2, FreeBSD 3.0, and NetBSD 1.3.2. These ports are
more proper integrations than previous versions; in particular, we patch
into the systems' netinet trees rather than replacing them with our own.
This means we do not remove the system's changes to 4.4BSD-Lite2.

Improvements to the Linux 2.1 PF_KEYv2 port.

ipv6_preparse() is out and nbufs are in. ipv6_preparse() was bad for
performance, a frequent source of confusion, and made us dependent on
mbufs. nbufs are portable to systems such as Linux, generally faster
than using ipv6_preparse()d mbufs, and make our code far more portable
to non-BSD systems.

N.B.: This release is much more of a "snapshot" than a "release". Our
code is currently in the middle of significant improvements.

Legal

UNIX is a trademark of X/Open.

NRL is a trademark of the US Naval Research Laboratory.

All other trademarks are property of their respective owners.

For more information

Download the code! If you are in the U.S., get the code from
MIT. Users outside the U.S.
are on their own -- parts of the code are export controlled.